Skip to content
jproxx
← Back to the blog

Security Bulletin for 30 June 2026: Critical Unauthenticated SQL Injection in EventON, Account Takeover in ProfileGrid and a Deserialization Flaw in Export User Data

30 June 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. For 30 June 2026 we highlight three vulnerabilities disclosed today: two critical flaws that can be exploited without a login, plus a serious deserialization flaw that can lead to code execution.

CVE-2026-9711 — Unauthenticated SQL Injection in the EventON Calendar (critical)

EventON, an events calendar used on many sites for (virtual) events, contains an SQL injection vulnerability in all versions up to and including 5.0.11 that can be exploited without a login. The value supplied via the search parameter is incorporated into a database query without adequate protection, allowing an attacker to inject their own SQL statements. Because an SQL injection can, in the worst case, read out the entire database contents — including user accounts and stored password hashes — the impact is severe. Exploitation requires the plugin’s additional-search-queries setting to be enabled and at least one published event to exist. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-89 (SQL injection). At the time of writing no corrected version is listed; operators should update EventON to the latest available version without delay and, while no fix is available, turn off the additional search function mentioned above or deactivate the plugin as an immediate measure.

Sources: National Vulnerability Database — CVE-2026-9711 · CVE Record — CVE-2026-9711

CVE-2026-12073 — Unauthenticated Account Takeover in ProfileGrid (critical)

ProfileGrid, which provides user profiles, groups and communities in WordPress, contains a critical vulnerability in all versions up to and including 5.9.9.5 that can be exploited without a login. Because a function processes a user-controlled key without checking whether the caller is authorized to do so, an attacker without a valid account can change the stored email address of the administrator account to an address they control, then request a login link via the password reset function — and thereby take full control of the site. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-639 (authorization bypass through a user-controlled key). This is the second time this week we have seen exactly this pattern — a login-free endpoint without an authorization check that enables account takeover. At the time of writing no corrected version is listed; operators should update ProfileGrid to the latest available version without delay and, while no fix is available, deactivate the plugin.

Sources: National Vulnerability Database — CVE-2026-12073 · Wordfence — ProfileGrid CVE-2026-12073

CVE-2026-12240 — Deserialization Flaw with File Deletion in Export User Data (high)

The Export User Data plugin contains a flaw in its handling of serialized data in all versions up to and including 2.2.6. Because a path read in via the unserialize processing is not adequately validated, an arbitrary file on the server can be deleted — for example the central configuration file wp-config.php, whose removal can in turn pave the way to a full takeover up to code execution. To exploit it, an already logged-in user with a low role (Subscriber and above) prepares the relevant data; the manipulation takes effect as soon as an administrator triggers the export of user data. The National Vulnerability Database assigns a CVSS score of 8.0, classifies the flaw as high and assigns it to weakness class CWE-502 (deserialization of untrusted data). At the time of writing no corrected version is listed; operators should update the plugin to the latest available version without delay or deactivate it until a fix is released.

Sources: National Vulnerability Database — CVE-2026-12240 · Wordfence — Export User Data CVE-2026-12240

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.